Add --insecure-skip-tls-verify CLI Flag for Development Environments #17
Description
Problem
Users connecting to HTTPS endpoints with self-signed certificates (common in development/testing environments) cannot use aepcli because TLS verification fails.
Current behavior:
$ aepcli myapi resources list
Error: Get "https://api.dev.local": x509: certificate signed by unknown authorityImpact: Developers cannot test against local development servers or staging environments with self-signed certificates.
Motivation
Development and testing environments often use self-signed certificates or certificates from non-trusted CAs. While adding the CA certificate to the system trust store
is the proper long-term solution, this is not always practical or possible:
- Enterprise restrictions: Developers often lack administrative privileges to modify system trust stores in managed environments
- Policy constraints: Corporate security policies may prohibit system-level certificate modifications
- Workflow friction: Containerized and ephemeral development environments don't persist trust store changes
- Cross-platform complexity: Trust store management differs significantly across Windows, macOS, and Linux
Developers need a non-privileged, portable way to bypass verification for local testing without requiring system-level changes or administrative approval.
Similar features in other CLI tools:
- kubectl:
--insecure-skip-tls-verify - curl:
--insecure/-k - docker:
--tlsverify=false
User Story
As a developer testing against a local API server,I want to disable TLS certificate verification via a CLI flag,So that I can test my API interactions without
certificate errors.
Proposed Solution
Add a --insecure-skip-tls-verify CLI flag that:
- Disables TLS certificate verification when set
- Defaults to false (verification enabled)
- Displays prominent security warnings to stderr
- Uses an intentionally verbose name to discourage casual use
Expected Behavior
Without flag (default - secure):
$ aepcli myapi resources list
Error: Get "https://api.dev.local": x509: certificate signed by unknown authority
With flag (verification disabled):
$ aepcli --insecure-skip-tls-verify myapi resources list
{
"resources": [...]
}
Combined with other flags:
$ aepcli --insecure-skip-tls-verify --log-http myapi resources create foo --name="test"
Request: POST https://api.dev.local/resources
...
Acceptance Criteria
- --insecure-skip-tls-verify flag is available as a persistent flag
- Flag defaults to false (TLS verification enabled by default)
- When flag is true, TLS certificate verification is disabled
- Security warning is printed to stderr every time the flag is used
- Warning message clearly states this is for development/testing only
- Connections to endpoints with self-signed certificates succeed when flag is set
- Connections to endpoints with valid certificates continue to work
- Flag can be combined with all other existing flags
- Unit tests validate flag behavior
- Integration tests verify connections with self-signed certificates
- Documentation includes usage examples and security warnings
Security Considerations
This feature intentionally reduces security and must be implemented carefully:
- Default is secure: Must default to false (verification enabled)
- Verbose naming: Flag name should be long and scary to discourage casual use (following kubectl's pattern)
- Mandatory warnings: Warning must be displayed to stderr and cannot be suppressed
- Clear documentation: Must emphasize this is for development/testing only, never production
Out of Scope
The following are explicitly out of scope for this issue and will be addressed separately:
- Environment variable support (e.g., AEPCLI_INSECURE_SKIP_TLS_VERIFY)
- Configuration file support
- Custom CA certificate support
- Per-API TLS configuration
Related Issues
- #TBD - Add environment variable support for skip-tls-verify
- #TBD - Add config file support for skip-tls-verify
- #TBD - Add custom CA certificate support
References
- https://kubernetes.io/docs/reference/kubectl/generated/kubectl_commands#-em-insecure-skip-tls-verify-em-
- https://curl.se/docs/manpage.html#-k
- https://pkg.go.dev/crypto/tls#Config
Additional Context
This is the first step in a series of TLS configuration improvements. Future enhancements will add:
- Environment variable support (for CI/CD)
- Config file support (for persistent dev environment configuration)
- CA certificate support (proper solution for enterprise/internal CAs)